Extreme switch won’t be affected as long as “https” is disabled like below test result but it is strongly recommended not to use the version which does not have the patch. Below is the result of the nmap to identify the vulnerability.

OpenSSL 1.0.1 contains a vulnerability that could disclose sensitive private information to an attacker. This vulnerability is commonly referred to as "heartbleed."

The advisory impact...

code:

By attacking a service that uses a vulnerable version of OpenSSL, a remote, unauthenticated attacker may be able to retrieve sensitive information, such as secret keys. By leveraging this information, an attacker may be able to decrypt, spoof, or perform man-in-the-middle attacks on network traffic that would otherwise be protected by OpenSSL.

OpenSSL 1.0.1 contains a vulnerability that could disclose sensitive private information to an attacker. This vulnerability is commonly referred to as "heartbleed."

The advisory impact...

code:

By attacking a service that uses a vulnerable version of OpenSSL, a remote, unauthenticated attacker may be able to retrieve sensitive information, such as secret keys. By leveraging this information, an attacker may be able to decrypt, spoof, or perform man-in-the-middle attacks on network traffic that would otherwise be protected by OpenSSL.

Discussion
Vulnerability notification CVE-2014-0160 was released on April 7 2014.
Its Overview states:

code:

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.

The high visibility and potentially high impact of this issue has spawned many follow-up reports which are visible in a web search for "

code:

heartbleed

" or "

code:

CVE-2014-0160

".

Patches have been developed to address this vulnerability across all affected products, and these will be included in subsequent GA releases. Patch availability is discussed in 16131, which addresses this issue being tracked as US-CERT Vulnerability Advisory VU#720951.

This reply was created from a merged topic originally titled heartbleed OpenSSL vulnerability. Does anyone have any information on whether or not and which Enterasys or Extreme products are affected by this vulnerability?